AppLocker Issue in Windows 7
ProblemWindows 7 beta AppLocker publisher rules will not function properly for catalog signed files with an expired certificate chain, including Windows system files DescriptionIn Windows 7 Beta, AppLocker improperly evaluates the digital signatures of catalog signed binaries (including Windows system binaries), which might lead to unexpected behavior. Timestamping is a method that allows a digital signature to remain valid after the signatures signing certificate has expired. The Windows system binaries, included in the Windows 7 Beta build, are catalog signed with a digital certificate that expired on 18th December 2008. These Windows binaries signatures are timestamped to ensure their validity. However, due to the current incorrect behavior, AppLocker ignores the timestamp on the binaries signature and therefore considers these files to be unsigned. As a result, AppLocker publisher rules created for Windows system files will not function properly and might cause the system to behave unexpectedly or even prevent the system from fully booting. To ensure that Windows functions properly, you should create the default AppLocker rules. These rules include a path rule that allows all the files in the Windows directory to run. Because of this problem, you should also not create publisher rules in Windows 7 Beta that deny access to Windows system files since AppLocker will be unable to match the file to a rule.ResolutionIf you have created one or more publisher rules for the Windows system files and cannot boot or login to your system, perform the following steps to recover. If you are in a domain environment and the issue is occurring on a client machine, skip to step 2.Step 1: Start Windows in safe modeTo start the computer in safe mode in Windows 7 Beta, follow these steps: Restart your computer and start pressing the F8 key on your keyboard. In the Windows Advanced Options menu, select Safe mode, and then press ENTER. Step 2: Create the default rulesThe default rules should be created for each rule collection where you want to enforce rules. There are four AppLocker rule collections in Windows 7 Beta: Executable, Windows Installer, Script, and DLL. To create the default AppLocker rules for a rule collection, perform the following steps.Using local computer policyNote: Perform this procedure on the computer that is being affected by the AppLocker publisher rules. Open the Local Security Policy Microsoft Management Console (MMC) snap-in. To do this:Click the Start button, type secpol.msc in the Search programs and files box, and then press ENTER. In the console tree, locate and expand Application Control Policies, expand AppLocker, and then select the relevant rule collection. Right-click the rule collection and then click Create Default Rules. Using Group PolicyNote: Add the default rules to the GPO from which the affected computer is receiving the AppLocker publisher rules. Open the Group Policy MMC snap-in:a.Click the Start button, type mmc in the Search programs and files box, and then press ENTER.b.On the File menu, click Add/Remove Snap-in.c.Click Add.d.Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.e.If you do not want to edit the Local Computer policy, click Browse to locate the Group Policy object that you want. Supply your user name and password if prompted, and then when you return to the Select Group Policy Object dialog box, click Finish.Note: You can use the Browse button to locate group policy objects linked to sites, domains, organizational units (OU), or computers. Use the default Group Policy Object (GPO) (Local Computer) to edit the settings on the local computer.f.Click Close, and then in the Add/Remove Snap-in dialog box, click OK. In the console tree, locate and expand Application Control Policies, expand AppLocker, and then select the relevant rule collection. Right-click the rule collection and then click Create Default Rules. Step 3: Restart Windows and wait for the welcome screenWindows must now be restarted to apply the changes that you have just completed. On this restart, however, the process that starts the users desktop (Explorer.exe) will initially be blocked. As a result, the Welcome screen will appear as Windows starts, but the Login screen will not be displayed. To complete this step, restart the computer, wait for the Welcome screen to appear, and then wait approximately two minutes for a black screen to appear.Step 4: Restart Windows Normally and Verify the ResolutionFinally, restart the computer normally and verify that Windows is now functioning properly. Windows Client IT Pro Audience Manager for Web Forums
January 15th, 2009 5:49am

AppLocker in Windows 7 helps you to remove unwanted and unknown applications within organizations network which also provides security and benefits.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2009 11:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics